by PETER S. BROWNE
General Electric Info-rmatioi'i Se·r"u·ices Business Division Rockville, Maryland
ABSTRACT
With the growing requirements for protection gen-erated by legislation such as the 1974 Privacy Act, the increasing complexity of computer and data communi-cations applicommuni-cations, and increasing awareness regard-ing computer vulnerabilities, the discipline of com-puter security is achieving independent recognition.
Current data processing literature is a rich source of information. Articles and papers regarding security, design of software protection, operational practices and auditing number in the thousands. Most of them are very narrow in scope or so general that they are of little use.
It is important to the data processing professional to be able to sort out the large body of material in order to gain perspective. This paper attempts that by relying on a carefully selected and fully annotated bibliography of 134 items, many of them of interest to the systems analyst or designer. These papers are referenced in the text, which attempts to carefully distinguish between the technical and operational ele-ments of computer security, while providing an overall perspective.
INTRODUCTION
The computer has unleashed countless opportunities for industrial growth, new applications, labor-saving accomplishments, and improvement of the quality of decisions. Most industrial and governmental organiza-tions could not survive without the processing capa-bility of their computer systems, and it can be shown that society itself is dependent upon the computer.23 At the same time, computer technology has spawned a whole new field of crime and has generated a series of problems for both designers and users of information systems.2
With the growing pervasiveness of computers, their increasing complexity and the development of sophisti-cation regarding computer vulnerabilities, the disci-pline of computer security is achieving widespread recognition. Many organizations have created the posi-tion of DP security specialist or manager87,92 and
53
college courses in computer security are being taught.69 There are a number of driving forces behind the in-terest, some of which are outlined below.
Historical
In the middle 1960's, Congress began discussing the issues of privacy and the computer. A national data bank was proposed. Congressional committees were established, and public testimony published.132 The general consensus was that that technology had not advanced to the point where privacy could be maintained.
Concern over the inherent lack of controls in com-puter systems led to much discussion and some activity on the technological front. A landmark meeting of active professionals in computer security in 1972 set the stage for an understanding of the technological issues and led to intensive design efforts to achieve
"secure" computer systems.lS
In the meanwhile, activity on the legislative and social fronts saw a culmination in the Privacy Act of 1974 (Public Law 93-579). This act applied privacy requirements to most computer systems operating within the Federal Government. It also generated a number of papers regarding implementation require-ments, 90,10;;,110 and attempts to determine the true cost of privacy, especially as applied to large, multi-use data banks.lo,57
The need for computer security is also affected by technological factors. As systems become more com-plex and sophisticated, so do the problems of data integrity. Resource-sharing systems achieve their greatest advantage when used simultaneously by many customers. This also means simultaneous processing of data with varying needs for confidentiality and per-vasive needs for accuracy.6 The problems of manage-ment control also have increased as the flexibility and capability of systems improve.
The scope and complexity of the field becomes ap-parent when a survey of the literature turns up over a thousand articles dealing with physical security of computer assets, threats to the computer, protection against fraud, embezzlement, and other human
fail-ings, the need for insurance, software protection, hard-ware safeguards, legal considerations, risk assessment, auditing, computer system design and the principles of operating system software security.l,ll,l07 A muiti-disciplinary approach is needed.95
De jinitions
Computer security is a widely discussed subject, and a generally agreed definition refers to it as protection of data against accidental or intentional disclosure, destruction or modification. Security can be viewed as a problem of "comprehensive control," involving the development of means to insure that privacy decisions are enforced.37
Data confidentiality is "the status accorded to data which requires the protection from unauthorized dis-closure."92 It refers to the protection of data from unauthorized disclosure, whether the basis for such protection is agreement, law, policy or prudent judg-ment.l09
Privacy is a legal and social concept, having roots in constitutional law and social justice requirements. 66,132 It refers to the right of an individual to control the collection, storing and dissemination of data about himself.6
Data integrity is the protection of data against accidental or intentional destruction or modification.
It also is the ensuring of accuracy and completeness of data. It involves the need for all components to operate together in a consistent and reliable manner.133
It can be seen that the object is data. We have been discussing data security as contrasted with computer security. To include the broader-based definition of the subject, and the need to think of the other assets in-volved such as computer hardware, facilities and people, the term 'processing integrity' has been coined. l05 It is the property of having adequate processing capability, availability and reliability in or-der to provide the requisite services of data processing.
PLANNING FOR COMPUTER SECURITY Threats and vulnerabilities
The result of a security breach is what usually draws attention to a threat, a vulnerability or a particular countermeasure. The short history of computer secu-rity is spotted with numerous "horrible examples," fads such as the interest in magnets as a threat, the imple-mentations of security measures that are anything but cost-effective.80,101,131 A rational approach to the sub-ject implies some sort of quantification of risks, and an analysis of the costs and benefits of countermeasures.
Although some articles and papers have called for this approach,23,:lo only recently has there been a serious attempt to model the risk-cost interface. 20,40.79.87
One of the key steps in devising protection is the classification of various threats. There are two sources of threats, people and natural hazards. 25 It is possible, though nut easy, to quantify the threat of fire, earth-quake, flood and storm.79 On the other hand, those events that arise from human acts such as mistakes, disgruntlement, fraud and sabotage are not always possible to quantify, namely because of the complexity of motivations, environmental considerations and the effect of in-place countermeasures imposed. loo The first step is to organize and classify the threats in a sys-tematic mannerY Threats are usually part of the environment. On the other hand, the vulnerabilities of a particular computer system to those threats are dependent on a large number of factors relating to location, people, capabilities of the system, building structure, nature of the processing and operating prac-tices. 79 Most security surveys and evaluations are de-signed to review these installation dependent vulnera-bilities and postulate countermeasures accordingly.84,102 Adequate cost-effective protection against data security threats is uncommon. Usually the implemen-tation of computer security is given low priority. It has suffered from inadequate attention and analysis, with too many existing measures lacking flexibility, consistency, completeness and redundancy. These at-tributes are all necessary in order to achieve protection that works when it is supposed to. One-hundred per-cent security or reliability is never possible. What is needed is a set of security measures that take into account the failures, errors, omissions and vulnerabili-ties of any given environment.23,104
Ris k analysis
Risk analysis is the term applied to the systematic quantification of threats, loss exposures and counter-measure benefits. 20 The ingredients of a risk analysis are the postulation of threats and their probability, the calculation of loss exposures, including degraded pro-ductivity, usually on an annualized basis. It is im-portant not to ignore the very low probability, high loss events that occur so infrequently that the annual loss potential appears negligible. A high loss exposure, regardless of the probability, should be evaluated care-fully. In any event, the apparent simplicity is mislead-ing. It is not easy to quantify all the potential losses, to postulate all the threats or to estimate their prob-ability. It is also a complex and time-consuming task, which accounts for the relatively few completed risk analyses to date.
OPERATIONAL COMPUTER SECURITY
Computer systems are generally not designed with security as a primary objective.18 Generally, the large main-frame manufacturers claim that users have been
slow to request security. Current research effort by independent sources and manufacturers alike indicate that the next generation of computers will achieve adequate, measurable and certifiable protection in hard'\vare and software. 111
Much protection for computer systems can be im-plemented outside of the computer hardware and sys-tem software. Managers of computer installations have always been concerned with the problems of system integrity, processing availability and security. For them, physical security, backup and administrative controls are highly relevant.
Physical security
Physical security has been subjected to study and implementation long before the arrival of computers.
Implementation of physical access controls to computer facilities represents a generally agreed first step in achieving threat protection. The reason is that many threats, especially of a human nature, can be reduced by limiting access.28,131 To deal with the threat of fire, utility unreliability and environmental disturbances, numerous control and monitoring systems have been devised. All should be considered in the context of the overall DP security plan, even though responsibility for their implementation may be elsewhere in the organization.
Backup and recovery
Recovery planning to ease the pain if a disaster were to strike is important. 29 The objective is to assess the capability of the organization to respond immediately, and ensure that supplies, data files, programs, docu-mentation and equipment are available off-site. The contingency planning must be of sufficient detail so that in case of disaster, all the elements can be pulled together in order to resume operations in as short a time as possible.117
Administrative controls
The administrative burden of proceduralizing and formalizing a security program is generally underesti-mated. It takes great clerical resources to ensure adequate maintenance of a selective access program, whether it be selective authorization to data files or physical areas. Other administrative aspects include the development and implementation of security poli-cies, guidelines, standards and procedures. Again, these functions may be centralized or decentralized, but stand a greater chance of success if the latter.39 Security in recent years has been a major concern of computer operations groups. It is here that the orga-nization can channel resources most effectively to deal with the lack of security in operating systems or in
Comput.er Secudty 55
application system design. It is a necessary but not sufficient condition for providing true computer security.21 One of the best guides for information about secure operating practices is the System Review Man-ual on Security~ published by AFIPS.102 Other guid-ance can be found in the more exhaustive of the many checklists and guidebooks on computer security. 44,61,79,84,87,92
Audit
Audit has been defined as "an independent and ob-jective examination of the information system and its use (including organizational responsibilities) into:
the adequacy of controls, levels of risks, expo-sures and compliance with standards and procedures
the adequacy and effectiveness of system con-trols versus dishonesty, inefficiency and se-curity vulnerabilities."18
Independent and objective are the key words. Whether or not an auditor's objective is the detection of fraud in computer systems, his role is certainly one of re-viewing the adequacy of system security. Many CPA firms have finally recognized their unique role in se-curity assurance.83.ll6 Some critics say their attention is still inadequate and not yet relevant. no Suffice to say that computer systems need auditing, both internal and external. It is not possible to even consider auditing
"around the computer" because of the risks involved.
Given the nature of computer related threats and vulnerabilities, the traditional independence and in-quisitiveness of the audit profession and the require-ment for independent assessrequire-ment of controls, it is logical that much computer security activity will be a part of the auditor's domain.26
TECHNICAL ELEMENTS
Even though the first line of defense is to rely on secure operational practices and physical security, the elements of system design have always intrigued computer security professionals. Obviously things can go wrong with hardware and software. Data integrity, encryption and security surveillance must be con-sidered in any complete computer security program.
Understanding of these elements usually requires a person well-versed in systems programming and appli-cation system design. That the skills required in this area are completely different (and perhaps incom-patible) with the skills required for handling opera-tional security problems has not been well identified in the literature. In addition, no present commercially available operating system is immune from penetra-tion, and so the prevalent attitude is that it is futile to
attempt to provide protection against the determined technical penetrator. However, much research and vendor effort is being devoted to the appropriate tech-nical safeguards in operating systems.1l1
I dentijication
Positive identification of people, devices, programs, systems and processes is clearly a requirement for ade-quate security. Holding a person accountable for his actions is one of the first principles in good design.
This requires certain knowledge that he is who he says he is. There are three approaches to personal identi-fication, (1) identification based on passwords (2) on credit card technology and (3) on personal character-istics of the requestor. Passwords are the most com-mon method, but they suffer from some serious inade-quacies.66 They should be random in nature and of sufficient length to avoid compromise.6 The use of credit cards, usually with a magnetically encoded stripe, is achieving great popularity, especially in re-gard to Electronic Funds Transfer Systems. This approach makes sense if the cards are controlled, used in conjunction with a unique personal identifier (PIN number) and if the system is made aware of lost cards so that casual retrieval of a card will not be an open invitation to access. Identification based on personal characteristics, such as voiceprint or fingerprints is still not a commercially popular methodology, but offers future promise.38 Identification not only relates to personnel access, but also to other system entities.
Security objects can be people, terminals groups of people (cliques), programs, terminals, data communi-cations devices or segments of virtual memory.85 Then one can specify restrictions based on a number of parameters such as the characteristics of the requestor (name, terminal, program, etc.) content of data (all salaries over $30,000), context of data (association of college grades, number of parking tickets and credit rating) or one can use procedures (formularies) based on the nature of the situation.67
Authorization
Once a system resource or person is identified, the problem of access of the identified subject becomes an important concern. Authorization refers to the estab-lishment of allowable interactions among system elements. 52,59 The traditional concept of authorization in system design presupposes that any system entity automatically is authorized access to any other system entity unles specifically prohibited. The secure concept of system design takes the opposite view. The con-cept of "least privilege" holds; namely that any system entity is prohibited from access to another system entity unless specifically authorized. For example, there is no need for a peripheral allocator to be able to
control or even have access to user data bases or other elements of the operating system. It should have knowledge of only those resources necessary for allo-cation of devices to jobs.Iil
The concept of an access matrix espoused by Con-way, et a}36 appears to be the easiest way to implement access control, but the implementation is not clean.59 There are a number of choices that one can make in defining the rules of access. For example, what level or degree of privilege should be permitted? Are we talk-ing about control of access to files, records, elements within records or specific hardware or software ele-ments of the computer system ?52,67,72
Much of the early work in authorization technology is the result of research activities.35,42,5~ The academic environment has fostered some good studies5;),59 which have led to some actual efforts at implementation.
Work at MITRE and the US Air Force on security kernels (provably small security reference monitors) 86 at Stanford Research Institute on proofs of program correctness/I at System Development Corporation for the DOD community,128 at MIT Under Project MACll2 and at computer system manufacturers,52,54 has led to actual demonstration of computer and communications systems with security as a prime design requirement.
An excellent but dated paper by Saltzer summarizes current (as of early 1975) research and development efforts. 111
Integrity
Obviously, things can go wrong with hardware and software. Data can be (and frequently is) inconsistent or unreliable. Data integrity interfaces with computer security at almost every point. In fact, many observers see the two concepts as being nearly synonymous. 105 A high integrity operating system can by its nature provide security against unauthorized use of system resources. System integrity is the condition of proper and predictable operation of the total system, including hardware, software and human elements. It includes the physical and operational security mechanisms in place.
Part of the integrity solution lies in providing an operating system that does not treat every operation as
"benevolent," but in fact assumes that users are going to attempt to get into supervisor state, and are going to overreach the limits of the software design. Other corrective elements can be found in attempts to en-hance the reliability and availability of applications.133 System audit trails
System surveillance, measurement and auditing are critical elements in providing the technical base for adequate security and integrity. The effectiveness and operability of the entire system, especially the
protec-tion mechanisms, must be continually scrutinized and measured. Management must be assured that the protection is in place and effective. Management must also be able to detect and to respond to events that constitute system security threats. Many of the same mechanisms used for performance measurement also can be used for monitoring of the protection mecha-nisms and the integrity of the entire system. A properly functioning audit mechanism should allow OPEN, LOGON, etc) to trigger an audit trai}.32 The interfacing of system measurement and surveillance activity with the auditor is the subject of much activity and researchY9
CONCLUSION
As of early 1976, systems are in use which provide a high degree of computer security and integrity, and may provide the basis for systems accreditation. The
As of early 1976, systems are in use which provide a high degree of computer security and integrity, and may provide the basis for systems accreditation. The